yuk*_*say 4 ssh security cron logs
我正在查看服务器上的日志文件,发现以下几行/var/log/.auth.log.1:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruse r= rhost=218.87.109.156 user=root
Failed password for root from 218.87.109.156 port 7612 ssh2
message repeated 5 times: [ Failed password for root from 218.87.109.156 port 7 612 ssh2]
error: maximum authentication attempts exceeded for root from 218.87.109.156 po rt 7612 ssh2 [preauth]
Disconnecting: Too many authentication failures [preauth]
PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost= 218.87.109.156 user=root
PAM service(sshd) ignoring max retries; 6 > 3
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruse r= rhost=218.87.109.156 user=root
Failed password for root from 218.87.109.156 port 50092 ssh2
message repeated 5 times: [ Failed password for root from 218.87.109.156 port 5 0092 ssh2]
Failed password for invalid user service from 188.187.119.158 port 52722 ssh2
pam_unix(sshd:auth): check pass; user unknown
Failed password for root from 113.195.145.79 port 6500 ssh2
Received disconnect from 121.18.238.39 port 58070:11: [preauth]
Failed password for root from 121.18.238.119 port 57538 ssh2
Failed password for root from 121.18.238.39 port 57268 ssh2
Failed password for root from 121.18.238.106 port 34360 ssh2
Disconnected from 92.222.216.31 port 58960 [preauth]
Invalid user truman from 92.222.216.31
Received disconnect from 92.222.216.31 port 33922:11: Normal Shutdown, Thank you for playing [preauth]
input_userauth_request: invalid user truman [preauth]
并且它一直这样持续了数千行!
还有我有的地方:
Nov 30 13:17:01 Aran CRON[6038]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON在这里是什么意思?所以有人可以向我解释这些日志是什么吗?我有危险吗?我该怎么做才能让自己更安全?
所有这些尝试登录都是针对 root 用户的,因此看起来只是通过 SSH 进行的基本暴力尝试。
面向公众的服务器每天进行大量 SSH 蛮力尝试是完全正常的。这是生活中的事实。您可以开始向拥有 IP 地址的 ISP 报告它们,但这是一针见血的事情,您不会有太大的不同。他们在互联网上使用受感染的计算机和/或他们在虚假详细信息下注册的托管帐户。
如果每个人都决定通过 SSH 禁用 root 登录,和/或要求 root(或每个人)使用基于密钥的登录,那么会有什么不同。只要您完成了其中一项,蛮力尝试基本上是无效的。但是因为有足够多的人仍然启用普通的 root 登录,并且上面有一个可猜测的密码,这些攻击仍在继续。
有些人推荐的另一件事是将您的 SSH 守护程序切换到非标准端口号。这并没有真正带来显着的安全优势,但会减少访问日志文件的尝试次数。
至于你的第二个问题,这只是Cron running,也就是运行定时任务的程序。所有系统都有一堆系统默认配置的定时任务。由于 cron 可以作为不同的用户运行不同的任务,它使用 pam_unix 来处理启动用户会话,即使是在 root 时,这就是它出现在该日志中的原因。
这个答案并不能真正回答谁试图登录您的主机,但它可以让您了解这个人来自哪里。还有助于防止黑客入侵您的主机。
如果您打算使用密码通过 ssh 登录,您应该采取一些预防措施来防止有人试图侵入您的系统。对于我个人的使用,我喜欢使用fail2ban,然后我编写了自己的脚本,使用iptables和ipset. 后一部分我用于完全阻止国家 IP 进入我的主机的端口 22。我还安装geoiplookup了一种方式来查看 IP 来自何处,以决定是否要阻止该国家/地区。我下面的脚本从ipdeny.com. 自从我大部分时间都打开端口 22 以来,它大大减少了我主机上的尝试次数。
安装fail2ban:
sudo apt install fail2ban
通常用fail2ban默认设置就OK了。如果您想更改它们,请确保复制/etc/fail2ban/jail.conf为/etc/fail2ban/jail.local并修改jail.local您创建的文件。您还可以在/var/log/fail2ban.log文件中看到失败的尝试。
安装geoiplookup:
sudo apt install geoip-bin
然后您可以看到 IP 地址的来源。
~$ geoiplookup 218.87.109.156
GeoIP Country Edition: CN, China
我创建的国家/地区阻止脚本。
国家/地区块所需的应用程序是ipset。此应用程序允许iptables使用 IP 块,而不是在您检查iptables.
sudo apt install ipset
我确信有很多东西可以清理。我将我的放在我的主文件夹中的脚本子文件夹中,并将其命名为country_block.bsh. 由于脚本对其进行了更改,iptables因此必须从sudo. 我确实将支票添加到脚本中。我最近对脚本进行了一些更改,以拒绝数据包而不是丢弃数据包,因此连接立即断开。
sudo apt install fail2ban
确保使脚本可执行 ( chmod +x country_block.bsh)。然后,您可以custom.zone在与文件相同的文件夹中创建一个country_block.bsh只有 IP的文件,这些 IP 可能会一遍又一遍地尝试破解您的系统。/32在 IP 地址的末尾添加它们,例如256.99.265.106/32. 添加自己的自定义 IP 后,只需运行以下命令即可重新加载它们:
sudo ./country_block.bsh custom
注意不要屏蔽您自己的国家或您自己的公共 IP。
还要注意不要阻塞任何其他未打开的端口。如果您阻止端口 80,则有可能如果您访问来自该国家/地区的网站,则该网站将无法加载,因为它无法通过端口 80 返回您的系统。
然后我在我的主文件夹中创建了另一个脚本,cb_update.bsh其中包含我想要阻止的所有国家/地区:
#!/bin/bash
cd /home/terrance/scripts/
./country_block.bsh cn ru nl de dk fr id ie it kr sg tw vn br ua pt il gb jp pk ar co fi in
如果您想屏蔽除您自己以外的所有国家/地区,请将上面的行更改为以下内容,并确保将您的国家/地区添加到" "该行的末尾以将您的国家/地区从列表中删除:
./country_block.bsh $(./country_block.bsh | awk -F '[()]' '{print $(NF-1)}' | grep -v "US")
然后我将以下行添加到我的/etc/crontab文件中。它涵盖了我的系统每次重新启动并在早上 01:05 更新列表。
$ cat /etc/crontab
@reboot root /bin/bash -c 'sleep 20 && /home/terrance/cb_update.bsh'
01 05 * * * root /home/terrance/cb_update.bsh
如果您自己运行脚本,它将为您提供国家/地区代码:
terrance@terrance-ubuntu:~/scripts$ sudo ./country_block.bsh
AFGHANISTAN (AF)
LAND ISLANDS (AX)
ALBANIA (AL)
ALGERIA (DZ)
AMERICAN SAMOA (AS)
ANDORRA (AD)
ANGOLA (AO)
ANGUILLA (AI)
ANTIGUA AND BARBUDA (AG)
ARGENTINA (AR)
ARMENIA (AM)
ARUBA (AW)
AUSTRALIA (AU)
AUSTRIA (AT)
AZERBAIJAN (AZ)
BAHAMAS (BS)
BAHRAIN (BH)
BANGLADESH (BD)
BARBADOS (BB)
BELARUS (BY)
BELGIUM (BE)
BELIZE (BZ)
BENIN (BJ)
BERMUDA (BM)
BHUTAN (BT)
BOLIVIA (BO)
BOSNIA AND HERZEGOVINA (BA)
BOTSWANA (BW)
BRAZIL (BR)
BRITISH INDIAN OCEAN TERRITORY (IO)
BRUNEI DARUSSALAM (BN)
BULGARIA (BG)
BURKINA FASO (BF)
BURUNDI (BI)
CAMBODIA (KH)
CAMEROON (CM)
CANADA (CA)
CAPE VERDE (CV)
CAYMAN ISLANDS (KY)
CENTRAL AFRICAN REPUBLIC (CF)
CHAD (TD)
CHILE (CL)
CHINA (CN)
COLOMBIA (CO)
COMOROS (KM)
CONGO (CG)
CONGO, THE DEMOCRATIC REPUBLIC OF THE (CD)
COOK ISLANDS (CK)
COSTA RICA (CR)
COTE D'IVOIRE (CI)
CROATIA (HR)
CUBA (CU)
CYPRUS (CY)
CZECH REPUBLIC (CZ)
DENMARK (DK)
DJIBOUTI (DJ)
DOMINICA (DM)
DOMINICAN REPUBLIC (DO)
ECUADOR (EC)
EGYPT (EG)
EL SALVADOR (SV)
EQUATORIAL GUINEA (GQ)
ERITREA (ER)
ESTONIA (EE)
ETHIOPIA (ET)
FAROE ISLANDS (FO)
FIJI (FJ)
FINLAND (FI)
FRANCE (FR)
FRENCH GUIANA (GF)
FRENCH POLYNESIA (PF)
GABON (GA)
GAMBIA (GM)
GEORGIA (GE)
GERMANY (DE)
GHANA (GH)
GIBRALTAR (GI)
GREECE (GR)
GREENLAND (GL)
GRENADA (GD)
GUADELOUPE (GP)
GUAM (GU)
GUATEMALA (GT)
GUINEA (GN)
GUINEA-BISSAU (GW)
GUYANA (GY)
HAITI (HT)
HOLY SEE (VATICAN CITY STATE) (VA)
HONDURAS (HN)
HONG KONG (HK)
HUNGARY (HU)
ICELAND (IS)
INDIA (IN)
INDONESIA (ID)
IRAN, ISLAMIC REPUBLIC OF (IR)
IRAQ (IQ)
IRELAND (IE)
ISLE OF MAN (IM)
ISRAEL (IL)
ITALY (IT)
JAMAICA (JM)
JAPAN (JP)
JERSEY (JE)
JORDAN (JO)
KAZAKHSTAN (KZ)
KENYA (KE)
KIRIBATI (KI)
KOREA, DEMOCRATIC PEOPLE'S REPUBLIC OF (KP)
KOREA, REPUBLIC OF (KR)
KUWAIT (KW)
KYRGYZSTAN (KG)
LAO PEOPLE'S DEMOCRATIC REPUBLIC (LA)
LATVIA (LV)
LEBANON (LB)
LESOTHO (LS)
LIBERIA (LR)
LIBYAN ARAB JAMAHIRIYA (LY)
LIECHTENSTEIN (LI)
LITHUANIA (LT)
LUXEMBOURG (LU)
MACAO (MO)
MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF (MK)
MADAGASCAR (MG)
MALAWI (MW)
MALAYSIA (MY)
MALDIVES (MV)
MALI (ML)
MALTA (MT)
MARSHALL ISLANDS (MH)
MARTINIQUE (MQ)
MAURITANIA (MR)
MAURITIUS (MU)
MAYOTTE (YT)
MEXICO (MX)
MICRONESIA, FEDERATED STATES OF (FM)
MOLDOVA, REPUBLIC OF (MD)
MONACO (MC)
MONGOLIA (MN)
MONTENEGRO (ME)
MONTSERRAT (MS)
MOROCCO (MA)
MOZAMBIQUE (MZ)
MYANMAR (MM)
NAMIBIA (NA)
NAURU (NR)
NEPAL (NP)
NETHERLANDS (NL)
NEW CALEDONIA (NC)
NEW ZEALAND (NZ)
NICARAGUA (NI)
NIGER (NE)
NIGERIA (NG)
NIUE (NU)
NORFOLK ISLAND (NF)
NORTHERN MARIANA ISLANDS (MP)
NORWAY (NO)
OMAN (OM)
PAKISTAN (PK)
PALAU (PW)
PALESTINIAN TERRITORY, OCCUPIED (PS)
PANAMA (PA)
PAPUA NEW GUINEA (PG)
PARAGUAY (PY)
PERU (PE)
PHILIPPINES (PH)
POLAND (PL)
PORTUGAL (PT)
PUERTO RICO (PR)
QATAR (QA)
REUNION (RE)
ROMANIA (RO)
RUSSIAN FEDERATION (RU)
RWANDA (RW)
SAINT KITTS AND NEVIS (KN)
SAINT LUCIA (LC)
SAINT PIERRE AND MIQUELON (PM)
SAINT VINCENT AND THE GRENADINES (VC)
SAMOA (WS)
SAN MARINO (SM)
SAO TOME AND PRINCIPE (ST)
SAUDI ARABIA (SA)
SENEGAL (SN)
SERBIA (RS)
SEYCHELLES (SC)
SIERRA LEONE (SL)
SINGAPORE (SG)
SLOVAKIA (SK)
SLOVENIA (SI)
SOLOMON ISLANDS (SB)
SOMALIA (SO)
SOUTH AFRICA (ZA)
SPAIN (ES)
SRI LANKA (LK)
SUDAN (SD)
SURINAME (SR)
SWAZILAND (SZ)
SWEDEN (SE)
SWITZERLAND (CH)
SYRIAN ARAB REPUBLIC (SY)
TAIWAN (TW)
TAJIKISTAN (TJ)
TANZANIA, UNITED REPUBLIC OF (TZ)
THAILAND (TH)
TIMOR-LESTE (TL)
TOGO (TG)
TOKELAU (TK)
TONGA (TO)
TRINIDAD AND TOBAGO (TT)
TUNISIA (TN)
TURKEY (TR)
TURKMENISTAN (TM)
TURKS AND CAICOS ISLANDS (TC)
TUVALU (TV)
UGANDA (UG)
UKRAINE (UA)
UNITED ARAB EMIRATES (AE)
UNITED KINGDOM (GB)
UNITED STATES (US)
UNITED STATES MINOR OUTLYING ISLANDS (UM)
URUGUAY (UY)
UZBEKISTAN (UZ)
VANUATU (VU)
VENEZUELA (VE)
VIET NAM (VN)
VIRGIN ISLANDS, BRITISH (VG)
VIRGIN ISLANDS, U.S. (VI)
WALLIS AND FUTUNA (WF)
YEMEN (YE)
ZAMBIA (ZM)
ZIMBABWE (ZW)
Choose any of the countries by typing in the two letter code between the ( ).
然后,您可以随时检查系统中可能发生的点击。
$ sudo iptables -nvL INPUT
Chain INPUT (policy ACCEPT 9523 packets, 3125K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 f2b-proftpd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20,990,989
2847 170K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
12 548 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set CHINA src multiport dports 22,10000
4 176 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set RUSSIANFEDERATION src multiport dports 22,10000
1 44 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set NETHERLANDS src multiport dports 22,10000
2 88 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set GERMANY src multiport dports 22,10000
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set DENMARK src multiport dports 22,10000
157 8156 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set FRANCE src multiport dports 22,10000
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set INDONESIA src multiport dports 22,10000
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set IRELAND src multiport dports 22,10000
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set ITALY src multiport dports 22,10000
4 180 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set KOREAREPUBLICOF src multiport dports 22,10000
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set SINGAPORE src multiport dports 22,10000
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set TAIWAN src multiport dports 22,10000
947 48804 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set VIETNAM src multiport dports 22,10000
2 92 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set BRAZIL src multiport dports 22,10000
6 264 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set UKRAINE src multiport dports 22,10000
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set PORTUGAL src multiport dports 22,10000
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set ISRAEL src multiport dports 22,10000
3 180 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set UNITEDKINGDOM src multiport dports 22,10000
1 44 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set JAPAN src multiport dports 22,10000
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set PAKISTAN src multiport dports 22,10000
2 88 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set ARGENTINA src multiport dports 22,10000
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set COLOMBIA src multiport dports 22,10000
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set FINLAND src multiport dports 22,10000
4 188 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set INDIA src multiport dports 22,10000
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set CUSTOM_IP src multiport dports 22,10000
希望这可以帮助!
| 归档时间: |
|
| 查看次数: |
4169 次 |
| 最近记录: |